httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: [VOTE] Release Apache httpd 2.4.0
Date Thu, 19 Jan 2012 06:14:06 GMT
On 19.01.2012 03:28, Rainer Jung wrote:
> OpenSSL should be 1.0.0f and the strange thing is, that the same tests 
> succeed on Solaris 10 using the same OpenSSL version. Something must be 
> different between my Linux systems, which all fail, and the Solaris box. 
> Could be details of the perl modules required by the test framework, 
> could be that the system OpenSSL on Linux interferes.
> 
> Anyone has an idea, why those CRL checks could fail?

Yes, most likely OpenSSL < 1.0.0 appeared in your $PATH when you created
the config for the test framework, while httpd is now running with
OpenSSL 1.0.0 (grepping for "OpenSSL" in t/logs/error_log should confirm
this).

The root cause is that OpenSSL has changed its issuer hash algorithm
between these two versions, so if you create the test config with
OpenSSL 0.9.8, you will have the following crl directory:

$ ls -l t/conf/ssl/ca/asf/crl
total 4
lrwxr-xr-x  1 kbrand  kbrand   13 Jan 18 18:01 9d0c6ffe.r0 -> ca-bundle.crl
-rw-r--r--  1 kbrand  kbrand  552 Jan 18 18:01 ca-bundle.crl

OpenSSL 1.0.0 and later will look for an "fdd35eee.r0" CRL file, however.
To work around this, execute "ln -s ca-bundle.crl fdd35eee.r0" in that
directory.

> Additional info: even on the failing systems, CRL checks done for other 
> tests in the suite do succeed. Example:
> 
> [Thu Jan 19 02:33:50.878506 2012] [ssl:debug] [pid 5240] 
> ssl_engine_kernel.c(1436): [client 127.0.0.1:62803] AH02275: Certificate 
> Verification, depth 1, CRL checking mode: chain [subject: 
> emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San 
> Francisco,ST=California,C=US / issuer: 
> emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San 
> Francisco,ST=California,C=US / serial: C4C8AB4BFBA4FCA8 / notbefore: Jan 
> 19 01:28:00 2012 GMT / notafter: Jan 18 01:28:00 2013 GMT]

I think you're misinterpreting this message - here, "CRL checking mode"
only states what kind of checking is set... whether it passes or fails
can only be seen from the succeeding message (either there isn't any,
or you will see "Certificate Verification: Error (3): unable to get
certificate CRL" and the like).

Kaspar

Mime
View raw message